Krebs on Security

In-depth security news and investigation

Evernote Forces Password Reset for 50M Users

Online note-syncing service Evernote is forcing all of its 50 million users to reset their passwords after detecting suspicious activity on its network.

In an email message sent to users today and posted on its blog, Evernote said digital intruders gained accessed to customer usernames, email addresses and encrypted passwords. The company says it has found no evidence that any of the content that users store in Evernote was accessed, changed or lost, and that there is no indication payment information for Evernote Premium or Business customers was accessed.

“Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted),” the company advised. “While our password encryption measures are robust, we are taking additional steps to ensure that your personal data remains secure. This means that, in an abundance of caution, we are requiring all users to reset their Evernote account passwords. Please create a new password by signing into your account on evernote.com.”

If you use Evernote (heck, even if you don’t), now is a great time to review your password practices. At the top of the password no-no’s list is reusing your email password at any other site. Also, while password hashing and salting can be effective at preventing attackers from working out your password should a company that stores that information get breached, it is far from solid protection. Evernote didn’t say which scheme it was using to hash passwords, but the industry standard is a fairly weak approach in which a majority of passwords can be cracked in the blink of an eye with today’s off-the-shelf hardware.

See this widely-read interview for more information on the ease with which most hashed passwords can be cracked today and what organizations might do differently to better secure their users’ information. This post has some tips on how to pick a strong password (e.g., some of the strongest passwords aren’t words at all but multi-word phrases). Finally, if you receive an email with a link in it telling you to click a link to reset your Evernote password — or any other password assigned to an online service you use — don’t click: Visit the site manually instead to avoid email phishing schemes.

This entry was posted on Saturday, March 2nd, 2013 at 4:52 pm and is filed under Latest Warnings.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

Makes sense now why my Evernote PC version wouldn’t sync. I received no email from them saying anything was wrong. When I attempted to log into their webpage it forced a password change (and again said no reason).

Thankfully I use LastPass to generate unique passwords for each site, so even if they were able to crack the hash it won’t do any good.

I didn’t receive a communication directly from Evernote until nearly midnight UTC time on March 2. I expect that they chose to do a slow rolling email communications to prevent it from being directed into spam folders or being outright rejected.

Several hours ahead of receiving that communication, all of the devices which currently have Evernote installed popped up with the messages showing the application update they pushed today.

I have uninstalled all my Evernote apps on all devices. If they can’t keep themselves from being hacked once, they can’t guarantee it won’t happen again. Can’t trust them so I won’t use them. They weren’t all that useful anyway – I’ll stick to Onenote and Dropbox.

“See this widely-read interview for more information on the ease with which most hashed passwords can be cracked today”

Unfortunately, that interview sets up web site fast hashing as the main problem with password use, when the real issue is cracker average search time. The interview implies that a site which uses a fast hash places its users at risk, which true only when passwords are short.

The interview suggests that a (good) slow hash may take 10,000 times as long as a (bad) fast one. But with 62 possible characters (upper and lower alphabetic, plus numerals), just adding 3 random password characters makes searching 238,328 times harder for the cracker, without bogging-down the server.

Hashing is a one-way operation, so finding the password which generates a given hash involves generating potential passwords, hashing each to a result, and comparing results to values in the captured file. Normally the cracker would start out trying the most common passwords, then words and phrases, and only then step through all possibilities of a given length, then all possibilities of the next length, and so on. Each extra password character increases the search space and effort by a factor of 62.

Serious passwords are long, 16 characters or more. Serious passwords are not structured (not words or combinations of words nor patterned numbers), but instead a sequence of randomly-selected characters. Although humans cannot remember such passwords, a password manager (e.g., Lastpass.com) can, and is easily used.

Serious passwords can prevent web site password file exposure, even with modern cracking equipment. And adding a few more password characters as a user seems better than hoping a web site will choose to implement a slower hash and burn even more of their compute time in the name of security.

I’m surprised it hasn’t become industry wide practice to email us every time an unsuccessful log in attempt is made. This would go a long way into letting one become more alert to things like this.

I’ve reset the password lenght on LastPass, and changed my passwords as I visit each of my sites. I’ve also set the iteration to 200(recommended). I think that is what it is called anyway. I’ve not notice much of a slow down in logon performance so far.

I always thought that the best password(s) would be in another language other then English using uppercase letters along with special charters. Maybe two or three random words say in Spanish with special charters in between with the first or last letters in each word in upper case. If you made it between ten to twenty charters in length then dictionary word cracking would be much more difficult

This simplest password system dates back to nineteenth century code practices. Take a book, any book, turn to a new page for each password required and read down the first or last letter on each line. No language, no dictionary assault and you have a different fifty to seventy digit password for each situation.

Just make sure that you don’t lose the book. (Or make it an eBook that can be accessed from anywhere online.)

I suppose some people might not like all their passwords gift wrapped into a single site or database, such as Keepass and .kdbx. But if the passwords are stored on your system, and someone actually manages to get access to them then I’d think you already have bigger problems.

So the way I view it is the security benefit and convenience of a password manager outweighs the risk of them all being stored together.

Actually in my case, and presumably others, using Lastpass considerably increased the security of my accounts since every account now has 20 character random passwords other than those which don’t allow it. I mean seriously how many people actually go through the inconvenience of creating passwords of this quality, storing it and changing it using email recovery and the same method again – on every site? Not me that’s for sure … I used to use the same password over and over for convenience (which trumps potential security risks for most people).

I still don’t trust Lastpass with passwords that may lose me money were they to be compromised though – meaning internet banking and payment processors. I’ve always divided logins in this fashion. If someone wants to rape my email and forums that’s one thing but I really don’t want the inconvenience of having money stolen.

As far as I know Lastpass has never been compromised but you never know when right.

Another thing I do is I also generate my security question answers the same way I do my passwords. If security questions are actual answers and if most people dump all sorts of information willingly into their Facebook, what use are they? And that was exactly how Sarah Palin’s yahoo was gotten into.

I even once locked myself out of my online bank account this way, but I barely used it anyway. If I can’t even get into it, then no one can!

Dan Kaminsky again raised on Twitter the notion that slow password hash algorithms are better but raise the threat of DoS.

This argument has been raging for I would guess a year or more.

I still say that a ADDITIONAL secret salt stored on another server that is used exclusively for generating password hashes, and which is stored encrypted in memory for use by a compiled executable on that server, would prevent any possible cracking of downloaded password databases.

The hackers would have to compromise not only the Web server with the password database, but also a separate server unconnected to anything except the Web server, and then have to search that server’s memory, find the secret salt, extract it from a running executable, decrypt it, and exfiltrate it.

Yes, it’s complicated – for the hacker as well as the Web site developers.

I do agree that requiring longer passwords on sites would be helpful, too.

Some sites are now checking password strength when users create passwords which is at least somewhat educational.

I’m switching (slowly) to using pass phrases based on names of people I like in various orders rather than passwords. When I’ve checked those against password strength meters, they’ve been identified as strong. It’s a little harder to remember the order of the names (I shuffle them around) but it’s better than what I did before, which was using one (unusual) name.

Long random passwords would SOLVE this particular problem. Individual users can act to make themselves essentially invulnerable to such attacks. This is the alternative to shivering together in dark caves waiting for the unknown to strike.

“I’m switching (slowly) to using pass phrases based on names of people I like in various orders rather than passwords. When I’ve checked those against password strength meters, they’ve been identified as strong.”

If combinations of names are not reported to be massively weaker than a random password of similar length, the strength meter is broken. This is essentially the Shannon entropy computation, a seminal work in both cryptography and data compression.

The Shannon Experiment generally comes up with about 1.6 bits of “entropy” per character; Shannon himself estimated between 0.6 and 1.3 bits per character, or about 1 bit per letter. In contrast, a random selection from among 62 characters represents about 5.9 bits per character. Thus, for word (and probably name) structures, MUCH LONGER passwords are needed, as compared to a random string. For example, when compared to the 16-character random password I suggest, English text would be about 94 characters long for similar strength (or somewhat less with case and numerals).

@Nathan: “To compromise me, one would have to break into the password manager AND know the password I keep in my brain.”

Remember that long passwords mainly protect against raw Brute Force (which a site should prevent, but might not), and Dictionary (exposure and exploitation of the hashed password file on a site) attacks. But other attacks are known.

Normally there can be no guarantee that a hiding bot is not present in a user computer. And if we do have a bot, no password (nor any 1-time 2-factor authentication or cryptographic certificate) can protect us: A bot typically will have access to every character used in a password plus the plaintext data itself (even with SSL, before enciphering and after deciphering). The breathtaking size of this security hole is why I mostly worry about bots.

Well at least with Rapport on SSL sessions; my AKLT shows no ability for keyboard capture success; and for all other sessions – Keyscrambler is better than nothing.

The few times I’ve seen manipulation by malware, it was obvious. So I know when I’m being attacked by a malware in the session. I run CCleaner and *poof*, all gone. Just as a precaution I soon after run Super-Anti-Spyware, but on limited accounts, bots usually cannot get a good hold on the system. Winpatrol will let me know of a Zues variant has injected into the startup folder.

The whole basis of recent attacks that have rendered passwords almost useless is the many large sites whose security is so lax that they leak their hashed password databases. This is what’s provided the attackers with information about widely-used passwords; it’s also motivated the (successful) efforts to build hardware password hashers. The fact is, *most* people won’t use password safes, randomly generated long passwords, or the other mitigation tools out there. They get in the way of simple, natural use – e.g., when people need to log in from a borrowed computer (itself a major potential hazard, but people do it all the time; face it, logging in on a friend’s computer is not something you’re going to stop people from doing).

Much as I support long, safe passwords and tools like password safes, too much of the discussion of their use has a “blame the victim” tone to it. You have to build a security system that’s effective for the way people are, not the way you think they should be. And we haven’t done so. Companies have been leaking their account/password databases for years, on massive scale. For a long time, this cost them little because they kept it secret. Then, when they were forced to reveal that they’d been hacked, they quickly fell back to the “it’s safe, all the information was encrypted” defense – a defense actually written in to some of the laws forcing publication of attacks. Except, of course, that the “encryption” (hashing) of not-so-strong, not-so-appropriately-used, passwords – even if done right – doesn’t really provide enough protection. Most people aren’t really aware of that “in their bones”, and the flood of such attacks means the hit on reputation – and subsequent cost – of having your password databases stolen is now minimal.

My (not really serious) suggestion is that companies that maintain hashed password databases be required by law to place in that database, under accounts with specified names, a couple of special passwords. Like the company’s private keys. And the corporate login passwords of its top executives and the corporate and executive bank accounts. You know, just so that the cost imposed on the company’s users by its practices are imposed in the same way on the company and those in charge of it. If they do a good job, they (and their customers) are safe. If they don’t, well, there’s someone waiting to take their place.
— Jerry